每日安全简讯(20160928)

1、APT28使用Mac木马Komplex攻击航空航天工业
2、网络间谍组织利用AlienSpy木马窥探名人手机
3、研究者发布工控设备Linux后门Wirenet分析报告
4、俄罗斯黑客论坛出售新版窃密恶意软件PonyForx
5、Spamhaus组织警告针对IPv4网络劫持事件增多
6、Mozilla准备阻止WoSign SSL证书长达一年时间

【安天CERT】搜集整理（来源：paloaltonetworks、easyaq、qq、softpedia、softpedia、softpedia）

1、APT28使用Mac木马Komplex攻击航空航天工业
标题：Sofacy’s ‘Komplex’ OS X Trojan

作者：September 26, 2016 11:00 AM By Dani Creus, Tyler Halfpop and Robert Falcone

//BEGIN
Unit 42 researchers identified a new OS X Trojan associated with the Sofacy group that we are now tracking with the ‘Komplex’ tag using the Palo
Alto Networks AutoFocus threat intelligence platform.
研究小组Unit42小组发现了一个新的能在OS X中运行的木马，该木马与组织Sofacy（也称APT28）相关，该木马在安全公司的威胁情报平台中被称为Komplex。

//END
The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their
continued evolution toward multi-platform attacks. The tool is capable of downloading additional files to the system, executing and deleting
files, as well as directly interacting with the system shell. While detailed targeting information is not currently available, we believe Komplex
has been used in attacks on individuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the
Trojan. The Komplex Trojan revealed a design similar to Sofacy’s Carberp variant Trojan, which we believe may have been done in order to handle
compromised Windows and OS X systems using the same C2 server application with relative ease.
APT28组织借用这个Komplex木马攻击OS X操作系统，这显示了其朝着多平台攻击的方向迈出了重要的一步。该木马能在被攻击的电脑中下载、运行甚至删除文件，同时
也能与操作系统的System Shell进行交互。虽然目前细节不得而知，但是研究人员确认该木马被用来对航天工业行业的个人发起了攻击，同时借道其他的木马传送各种
有害程序或木马。而且该木马的表现出与以前的Carberp木马类似，而后者已经跨平台攻击Windows和OS X两个系统，一个细节是：其利用的C2服务器是同一个。

点评：苹果电脑也许是个方向。

2、网络间谍组织利用AlienSpy木马窥探名人手机
标题：“利比亚蝎子”网络间谍组织利用AlienSpy Android RAT攻击利比亚名人

作者：2016-09-27 11:00 By E安全

//BEGIN
某网络间谍活动组织正将矛头指向各位利比亚名人，具体手段为利用AlienSpy（JSocket、JBIfrost、Unrecom或者Adwind）这一远程访问木马（简称RAT）感染其
Android智能手机。

//END
“利用恶意技术作为武器，他们能够在利比亚这样的战乱地区通过追踪受害者的物理位置对其进行监视，或者执行暗杀乃至绑架等活动，”研究人员同时表示。

点评：个人对抗组织还是有难度的。

3、研究者发布工控设备Linux后门Wirenet分析报告
标题：威胁工控设备的经典Linux后门Backdoor.Wirenet分析

作者：2016-09-27 By 小白Random malwarebenchmark

//BEGIN
Backdoor.Wirenet并不是新近发现的恶意样本，但做为一款冲击大量Linux设备，甚至波及Mac OSX操作系统的后门程序，Backdoor.Wirenet还是有其历史地位的。

//END
该样本与212.7.208.65服务器进行通信，并使用该Password登录。这些解密出来的重要字符串在InstallHost中使用。InstallHost函数中Wirenet使用解密出的信息与
服务器建立连接，还在/.config/autostart中设置了开机自启动功能。

点评：ICS安全越来越受重视。

4、俄罗斯黑客论坛出售新版窃密恶意软件PonyForx
标题：New PonyForx Infostealer Malware Sold on Russian Hacking Forums
PonyForx is a fork of the more popular Pony infostealer

作者：Sep 26, 2016 14:05 GMT By Catalin Cimpanu

//BEGIN
A crook named Cronbot is currently selling a new malware variant on Russian underground hacking forums that appears to be a successful fork of an
older and very advanced infostealer called Pony.
一个名叫Cronbot的黑客在俄罗斯的地下黑客论坛出售老木马Pony的变种PonyForx，而Pony已然是一个时间较长但是功能很强大的信息窃取工具。

//END
The researcher discovered a campaign in September that was using the Neutrino exploit kit to deliver the Godzilla malware loader to users. In
turn, Godzilla would download the PonyForx infostealer, and after it was done, it would deliver the Locky ransomware.
研究人员发现名为Neutrino的漏洞利用包EK正在偷偷将恶意软件Godzilla安装到用户的机器上，而这个Godzilla会顺势下载本文的主角木马PonyForx；一旦这个木马成
功安装，它就会安装勒索软件Locky.

点评：malware葫芦娃一串一串的。

5、Spamhaus组织警告针对IPv4网络劫持事件增多
标题：Spamhaus Warns of a Rise in IPv4 Network Hijacks
Spammers behind most of today's network hijacking events

作者：Sep 27, 2016 02:35 GMT By Catalin Cimpanu

//BEGIN
Spamhaus, the organization that runs one of the Internet's largest, most accurate and up-to-date spam list, is warning against a spike in network
hijacking events.
该组织Spamhaus维护这一个互联网上最大的、也最准确的和及时的垃圾邮件等的列表。最近该组织发布警告称：互联网上正在利用IPV4 进行大规模的网络劫持工作。

//END
"It would seem that this activity will continue to be a problem until law enforcement starts to prosecute these criminal hijacking gangs and the
spammers they conspire with," Spamhaus adds.
除非国家的强力部门出手，将那些从事违法的劫持的家伙缉拿归案，否则这个活动还会继续下去。

备注: https://www.spamhaus.org/

点评：垃圾邮件是各种恶意程序以及勒索软件的温床。

6、Mozilla准备阻止WoSign SSL证书长达一年时间
标题：Mozilla Ready to Ban WoSign Certificates for One Year After Shady Behavior
Mozilla may also ban StartCom certificates

作者：Sep 26, 2016 23:50 GMT By Catalin Cimpanu

//BEGIN
Mozilla is pondering applying a one-year-long ban on all newly issued SSL certificates from Chinese CA (Certificate Authority) WoSign and Israeli
CA StartCom, which WoSign appears to have secretly bought last year.
WoSign证书是一个来自中国的数字认证机构，其核心技术来自以色列的StartCom公司，去年才购买来的。近来 Mozilla准备暂停以上两家公司新发行数字证书SSL一年
的时间。

//END
Furthermore, a ban in Chrome and other products is also on the table. "While other browser vendors and root store operators will need to make
their own decisions, we have laid out the information in this document so that they will understand the basis on which we have made our decision
and can make their own decisions accordingly," Mozilla said.
另外，Chrome等浏览器也在讨论中。如果这些浏览器不能通过一系列的测试的话，也可能被禁止之列。

点评：证书是网络上的身份证，也是信誉担保的。